Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

codyswanngt/plugins/lisa-expo-copilot/skills/owasp-zap

Name: plugins/lisa-expo-copilot/skills/owasp-zap
Author: codyswanngt

plugins/lisa-expo-copilot/skills/owasp-zap/SKILL.md

npx skillsauth add codyswanngt/lisa plugins/lisa-expo-copilot/skills/owasp-zap

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

OWASP ZAP Baseline Scanning

OWASP ZAP (Zed Attack Proxy) performs DAST (Dynamic Application Security Testing) by scanning a running application for common security vulnerabilities from the OWASP Top 10.

When to Use

After making changes to HTTP headers, authentication, or security middleware
Before deploying to staging or production
When reviewing security scan results from CI
When triaging ZAP findings from pull request checks

Running Locally

# Requires Docker to be installed and running
bash scripts/zap-baseline.sh

The scan builds the Expo web export, serves it locally, and runs ZAP against it. Reports are saved to zap-report.html, zap-report.json, and zap-report.md.

Interpreting Results

ZAP findings are categorized by risk level:

| Risk | Action | |------|--------| | High | Fix immediately — indicates exploitable vulnerability | | Medium | Fix before deployment — security best practice violation | | Low | Fix when convenient — minor security improvement | | Informational | Review — may be false positive or acceptable risk |

Common Findings and Fixes

Infrastructure-Level (fix at CDN/hosting, not in code)

CSP Header Not Set: Configure Content-Security-Policy at CDN or hosting platform. Expo web exports need script-src 'self' 'unsafe-inline' for hydration.
HSTS Not Set: Configure Strict-Transport-Security at CDN/load balancer.
X-Frame-Options: Use frame-ancestors in CSP at CDN level.

Application-Level (fix in code)

Cookie flags missing: Ensure all cookies set HttpOnly, Secure, and SameSite attributes.
Debug error messages: Ensure error boundaries don't leak stack traces in production.
Server version disclosure: Remove or mask the Server response header.

Configuration

ZAP scan rules are configured in .zap/baseline.conf. Each line controls how ZAP treats a specific rule:

IGNORE: Skip the rule entirely
WARN: Report finding but don't fail the build
FAIL: Fail the build if this finding is detected

CI Integration

ZAP runs automatically in CI via the zap-baseline.yml workflow. Results are uploaded as artifacts and the build fails on medium+ severity findings.

codyswanngt/plugins/lisa-expo-copilot/skills/owasp-zap

plugins/lisa-expo-copilot/skills/owasp-zap/SKILL.md

# OWASP ZAP Baseline Scanning OWASP ZAP (Zed Attack Proxy) performs DAST (Dynamic Application Security Testing) by scanning a running application for common security vulnerabilities from the OWASP Top 10. ## When to Use - After making changes to HTTP headers, authentication, or security middleware - Before deploying to staging or production - When reviewing security scan results from CI - When triaging ZAP findings from pull request checks ## Running Locally ```bash # Requires Docker to be

1 stars

tools

Updated Jun 4, 2026

$ install --global

skillsauth

npx skillsauth add codyswanngt/lisa plugins/lisa-expo-copilot/skills/owasp-zap

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 12, 2026, 3:01 AM4.5s1 file scanned

SKILL.md

OWASP ZAP Baseline Scanning

OWASP ZAP (Zed Attack Proxy) performs DAST (Dynamic Application Security Testing) by scanning a running application for common security vulnerabilities from the OWASP Top 10.

When to Use

After making changes to HTTP headers, authentication, or security middleware
Before deploying to staging or production
When reviewing security scan results from CI
When triaging ZAP findings from pull request checks

Running Locally

# Requires Docker to be installed and running
bash scripts/zap-baseline.sh

The scan builds the Expo web export, serves it locally, and runs ZAP against it. Reports are saved to zap-report.html, zap-report.json, and zap-report.md.

Interpreting Results

ZAP findings are categorized by risk level:

Common Findings and Fixes

Infrastructure-Level (fix at CDN/hosting, not in code)

CSP Header Not Set: Configure Content-Security-Policy at CDN or hosting platform. Expo web exports need script-src 'self' 'unsafe-inline' for hydration.
HSTS Not Set: Configure Strict-Transport-Security at CDN/load balancer.
X-Frame-Options: Use frame-ancestors in CSP at CDN level.

Application-Level (fix in code)

Cookie flags missing: Ensure all cookies set HttpOnly, Secure, and SameSite attributes.
Debug error messages: Ensure error boundaries don't leak stack traces in production.
Server version disclosure: Remove or mask the Server response header.

Configuration

ZAP scan rules are configured in .zap/baseline.conf. Each line controls how ZAP treats a specific rule:

IGNORE: Skip the rule entirely
WARN: Report finding but don't fail the build
FAIL: Fail the build if this finding is detected

CI Integration

ZAP runs automatically in CI via the zap-baseline.yml workflow. Results are uploaded as artifacts and the build fails on medium+ severity findings.

Related Skills

codyswanngt/use-dom

development

VerifiedTrustedCommunity

Use Expo DOM components to run web code in a webview on native and as-is on web. Migrate web code to native incrementally.

1SKILL.mdUpdated Jun 6, 2026

codyswanngt/upgrading-expo

development

VerifiedTrustedCommunity

Guidelines for upgrading Expo SDK versions and fixing dependency issues

1SKILL.mdUpdated Jun 6, 2026

codyswanngt/upgrading-expo

codyswanngt/native-data-fetching

development

VerifiedTrustedCommunity

Use when implementing or debugging ANY network request, API call, or data fetching. Covers fetch API, React Query, SWR, error handling, caching, offline support, and Expo Router data loaders (`useLoaderData`).

1SKILL.mdUpdated Jun 6, 2026

codyswanngt/native-data-fetching

codyswanngt/Expo UI SwiftUI

tools

VerifiedTrustedCommunity

`@expo/ui/swift-ui` package lets you use SwiftUI Views and modifiers in your app.

1SKILL.mdUpdated Jun 6, 2026

codyswanngt/Expo UI SwiftUI

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/codyswanngt/lisa.git

# Copy into Claude Code skills folder (global)
cp -r lisa/plugins/lisa-expo-copilot/skills/owasp-zap ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

codyswanngt/lisa

1 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT